CVE-2026-42886

🗓️ 11 May 2026 19:54:10Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 11 Views🌐 WEB

Audiobookshelf DoS via oversized backup details entry causing memory exhaustion; fixed in 2.32.2.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-42886	11 May 202619:54	–	attackerkb
Circl	CVE-2026-42886	11 May 202621:38	–	circl
CNNVD	Audiobookshelf 安全漏洞	11 May 202600:00	–	cnnvd
Cvelist	CVE-2026-42886 Audiobookshelf: Memory amplification DoS via oversized compressed details entry in backup upload	11 May 202619:54	–	cvelist
EUVD	EUVD-2026-29209	11 May 202619:54	–	euvd
NVD	CVE-2026-42886	11 May 202620:25	–	nvd
Positive Technologies	PT-2026-39751	11 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-42886	5 Jun 202619:30	–	redhatcve
Vulnrichment	CVE-2026-42886 Audiobookshelf: Memory amplification DoS via oversized compressed details entry in backup upload	11 May 202619:54	–	vulnrichment

Vulners

Node

advplyr audiobookshelfRange<2.33.2

[
  {
    "vendor": "advplyr",
    "product": "audiobookshelf",
    "versions": [
      {
        "version": "< 2.33.2",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/advplyr/audiobookshelf/security/advisories/GHSA-4jq4-rvq8-j26h

Parameter	Position	Path	Description	CWE
file	request body	/api/backups/upload	POST upload endpoint that decompresses details entry from a ZIP may cause excessive memory usage/out-of-memory on crafted uploads.	CWE-409
details.zip	request body	/api/backups/upload	POST upload endpoint that decompresses details entry from a ZIP may cause excessive memory usage/out-of-memory on crafted uploads.	CWE-409
archive	request body	/api/backups/upload	POST upload endpoint that decompresses details entry from a ZIP may cause excessive memory usage/out-of-memory on crafted uploads.	CWE-409

17 Jun 2026 10:48Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.14.9

EPSS0.00257

SSVC

CWE-409